fix: add Next.js RSC headers to CloudFront CachePolicy to prevent cache poisoning

konokenj · konokenj · commit 9f766c8cfcc5 · 2026-03-20T10:48:26.000+09:00
Add RSC, Next-Router-Prefetch, Next-Router-State-Tree, and Next-URL headers to CacheHeaderBehavior.allowList so that CloudFront distinguishes RSC flight responses from HTML responses in the cache key. Without these headers, static/ISR pages can serve text/x-component data for normal HTML requests (or vice versa) when CloudFront caching is active. Closes #100
diff --git a/cdk/lib/constructs/cf-lambda-furl-service/service.ts b/cdk/lib/constructs/cf-lambda-furl-service/service.ts
@@ -89,6 +89,13 @@ export class CloudFrontLambdaFunctionUrlService extends Construct {
         'X-HTTP-Method-Override',
         'X-HTTP-Method',
         'X-Method-Override',
+        // Next.js App Router RSC headers to prevent cache poisoning.
+        // Without these, RSC flight responses (text/x-component) and HTML responses
+        // share the same cache key, causing wrong content to be served.
+        'RSC',
+        'Next-Router-Prefetch',
+        'Next-Router-State-Tree',
+        'Next-URL',
       ),
       defaultTtl: Duration.seconds(0),
       cookieBehavior: CacheCookieBehavior.all(),
